HP strikes back against printer hack claims

Trent Nouveau, 30th November 2011

Hewlett Packard (HP) has issued an official statement in response to a controversial MSNBC report alleging a potential security vulnerability with certain LaserJet printers.

Columbia University professor Salvatore Stolfo told the site that HP printers could theoretically be used as fire starters - if hackers managed to disable various safety protocols by altering default firmware. But Hewlett Packard dismissed the claims as baseless.

"Speculation regarding potential for devices to catch fire due to a firmware change is false. No customer has reported unauthorized access," HP confirmed.

"[Our] LaserJet printers have a hardware element called a 'thermal breaker' that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability."

Although HP did acknowledge the existence of a potential security vulnerability identified by Stolfo, the company emphasized that certain printers could only be compromised if placed on the Internet without a firewall.

"In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network... [And] in some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade," HP added.

The company also noted that it was coding a firmware upgrade to "mitigate" the issue and recommended users follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed devices.